Cookie consent

TikTok dances to the tune of $5.4m cookie fine

The big social media fines just keep coming. Hot on the heels of Meta experiencing a $277m fine from the Irish Data Protection Commission, it’s now TikTok’s turn in the spotlight thanks to a cookie crumble. Can you walk into a huge fine in 2023 for making it difficult to refuse a cookie as easily as it might be to accept it? As it happens, you absolutely can, as TikTok is now finding out.

Commission nationale de l’informatique et des libertés (CNIL) in France has fined TikTok UK and TikTok Ireland €5M ($5.4M) for failing to comply with obligations set out in Article 82 of the French Data Protection Act.

While some of us may consider cookies to be a bit boring, there’s a lot more to it than complaining about those pop ups on every website. You can guarantee the accountants looking at the latest fines stacking up at their business are very interested indeed.

A fine old time

From the CNIL announcement:

“During the inspection carried out in June 2021, the CNIL noted that although the companies TIKTOK UK and TIKTOK IRELAND did offer a button allowing immediate acceptance of cookies, they did not put in place an equivalent solution (button or other) to allow the Internet user to refuse their deposit as easily. Several clicks were required to refuse all cookies, as opposed to just one to accept them.”

When it came to light that this mechanic was in place for cookies, the CNIL stance was that this process discouraged individuals from opting out or refusing. Instead, users chose the path of least resistance and agreed to what was put in front of them. This, in combination with information about the purpose of the cookies not being sufficiently accurate, was enough to incur the wrath of the CNIL.

Playing the waiting game

According to Bleeping Computer, TikTok received several warnings about this issue, with initial findings coming from a report in June 2021. Despite this, a proper reject all button was not implemented, nor given a “prominent position”, until February 2022. 

This is one of many large fines dished out by CNIL, and this is definitely something we’ll be seeing more of down the line. In terms of the cookie notification/consent issues themselves, it all feels a bit like a Roach Motel from the Dark Pattern playbook. This is a common marketing or advertising tactic where you make it easy to get in, but much harder to get out.

The dark patterns of cookie consent

Dark patterns are very much relevant to the subject of cookie disclosure and notification. Some of the biggest fines handed out in recent years have been cookie related, and some even mention the dark pattern aspect in relation to cookies. If you have one button to accept but multiple buttons to reject, it’s quite possible the CNIL will be paying you a visit. 

TikTok is now joining an increasingly less exclusive club which already includes the likes of Facebook and Google. Whether caught by the ePrivacy Directive or the GDPR, one thing is for certain: Social media giants need to ensure they’ve done a full sweep of their cookie cupboards. Regulators aren’t shy about handing out fines. The real question is, how big will they have to become before social media sites take the kind of pre-emptive action which causes fines not to be issued in the first place?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.